Security
Headlines
HeadlinesLatestCVEs

Headline

Winnti APT group docks in Sri Lanka for new campaign

Categories: Threat Intelligence Tags: Winnti

Tags: APT

Tags: China

Tags: Sri Lanka

Tags: India

Tags: Keyplug

Tags: malware

Tags: dropbox

Tags: C2

Tags: DBoxAgent

In this research paper, we document a new campaign we attribute to the Winnti APT group. The victims are located in Sri Lanka at a point in time where the country is going through economic hardship while China makes headlines for docking on of its special vessels there.

(Read more…)

The post Winnti APT group docks in Sri Lanka for new campaign appeared first on Malwarebytes Labs.

Malwarebytes
#intel#backdoor

In early August, the Malwarebytes Threat Intelligence team identified a new attack targeting government entities in Sri Lanka. The threat actors used multiple layers of protection and techniques to make analysis harder and hide their final payload.

However, based on tactic, techniques and procedures (TTPs) as well as code similarities we believe that this attack falls under the Winnti umbrella (also known as APT41). Winnti is a Chinese state-sponsored group that has conducted cyber espionage and financially motivated operations since 2012. Winnti remains active and its arsenal keeps growing as one of the most sophisticated groups nowadays. Sri Lanka’s location in South Asia is strategic for China as it has open access to the Indian Ocean and is close to India.

We identified several payloads being dropped in this campaign, including the famous KeyPlug malware but more interestingly, we found a new backdoor that we call DBoxAgent due to its use of Dropbox as a command and control server. We shared our initial findings with Dropbox who immediately took action to stop this malicious activity. We would like to thank the Dropbox threat intelligence team for their response.

Here are the highlights of our this investigation:

  • To our knowledge, Winnti (a China-backed APT) is targeting Sri Lanka for the first time
  • The attack time frame coincides with a major geopolitical event involving China and Sri Lanka
  • The threat actors created a new backdoor and used Dropbox for their command and control infrastructure

Download the full report here.

Malwarebytes: Latest News

Spotify, Audible, and Amazon used to push dodgy forex trading sites and more